The ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279166	SRG-NET-000169-ALG-000102	SYME-00-002500	SV-279166r1170654_rule	2025-12-16	1

Description
Before continuing, the site must follow the configuration steps for adding Common Access Card (CAC) and LDAPS authentication realms and the SSH Console CAC items under SYME-ND-000190. Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating nonorganizational users, their access to network resources can be restricted accordingly. Nonorganizational users will be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. This control applies to application layer gateways that provide content filtering and proxy services on network segments (e.g., DMZ) that allow access by nonorganizational users. This requirement focuses on authentication requests to the proxied application for access to destination resources and policy filtering decisions rather than administrator and management functions. Satisfies: SRG-NET-000169-ALG-000102, SRG-NET-000015-ALG-000016, SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095, SRG-NET-000164-ALG-000100, SRG-NET-000166-ALG-000101, SRG-NET-000018-ALG-000017, SRG-NET-000019-ALG-000018, SRG-NET-000019-ALG-000019, SRG-NET-000400-ALG-000097

Description

Before continuing, the site must follow the configuration steps for adding Common Access Card (CAC) and LDAPS authentication realms and the SSH Console CAC items under SYME-ND-000190. Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating nonorganizational users, their access to network resources can be restricted accordingly. Nonorganizational users will be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. This control applies to application layer gateways that provide content filtering and proxy services on network segments (e.g., DMZ) that allow access by nonorganizational users. This requirement focuses on authentication requests to the proxied application for access to destination resources and policy filtering decisions rather than administrator and management functions. Satisfies: SRG-NET-000169-ALG-000102, SRG-NET-000015-ALG-000016, SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095, SRG-NET-000164-ALG-000100, SRG-NET-000166-ALG-000101, SRG-NET-000018-ALG-000017, SRG-NET-000019-ALG-000018, SRG-NET-000019-ALG-000019, SRG-NET-000400-ALG-000097

ℹ️ Check
In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). If there is not a Web Access Layer, and the authorization has not been configured on this layer for the proxy users based on the CAC/LDAP authentication realm, this is a finding. If there are not specific services restricted to each group, this is a finding. Ensure there is a CPL layer that includes a client certificate requirement rule; otherwise, this is a finding.

ℹ️ Check

In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). If there is not a Web Access Layer, and the authorization has not been configured on this layer for the proxy users based on the CAC/LDAP authentication realm, this is a finding. If there are not specific services restricted to each group, this is a finding. Ensure there is a CPL layer that includes a client certificate requirement rule; otherwise, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the VPM. 2. Add a web access layer called "Web Access Layer". 3. Click "Add a rule." 4. Under "Source", left-click and select "Set". 5. Click "Add a new object" and select "Group". 6. Enter the full DN of the LDAP group. For example: CN=broadcom.proxyusers.gsg,OU=BROADCOM,DC=dod,DC=mil 7. Under "Authentication Realm", select the CAC Certificate. 8. Click "Apply" and then click "Set". 9. Click "Service" and then click "Set". 10. Click "Add a new object". 11. Click "Client Protocol", select "HTTP", and then click "Apply and set". 12. Under "Action", left-click and set to "Allow". 13. Under "Track", left-click "Add a new Object". 14. Click "Event Log". 15. Under "Details", add the following text: "$(appliance.name)$(appliance.primary_address)$(c-ip)$(c-port)$(c-uri)$(c-uri-address)$(c-uri-cookie-domain)$(c-uri-extension)$(c-uri-host)$(c-uri-hostname)$(c-uri-path)$(c-ur-pathquery)$(client.address)$(client.certificate.subject)$(client.host)$(client.public_address)$(cs-auth-group)$(cs-categories-policy)$(date)$(user.name)$(user.x509.subject)" 16. Under "Category", select "All". 17. Under "Display options", select "Both". 18. Click "Apply and set". 19. Repeat the above procedure for each service/protocol being proxied with authorization enforcement. For example, ensure HTTPS is selected when doing HTTPS and not HTTP. 20. Click "Apply Policy". 1. Navigate to the top of the VPM and add a new layer. It must be a CPL layer. 2. Include the following in the layer text: <Proxy> url.regex="ssl://" authenticate(no) <Proxy>client.certificate.require(yes) service.name=!(CAC-MC-Notify,HTTPS-Console) authenticate(CAC) authenticate.force(no) authenticate.mode(auto) Note: The CAC-MC-Notify and HTTPS-Console must match a proxy or reverse service in use. The authenticate(CAC) must represent the Certificate Authentication Realm previously configured. 3. Click "Apply Policy".

✔️ Fix

1. In the Edge SWG Web UI, navigate to the VPM. 2. Add a web access layer called "Web Access Layer". 3. Click "Add a rule." 4. Under "Source", left-click and select "Set". 5. Click "Add a new object" and select "Group". 6. Enter the full DN of the LDAP group. For example: CN=broadcom.proxyusers.gsg,OU=BROADCOM,DC=dod,DC=mil 7. Under "Authentication Realm", select the CAC Certificate. 8. Click "Apply" and then click "Set". 9. Click "Service" and then click "Set". 10. Click "Add a new object". 11. Click "Client Protocol", select "HTTP", and then click "Apply and set". 12. Under "Action", left-click and set to "Allow". 13. Under "Track", left-click "Add a new Object". 14. Click "Event Log". 15. Under "Details", add the following text: "$(appliance.name)$(appliance.primary_address)$(c-ip)$(c-port)$(c-uri)$(c-uri-address)$(c-uri-cookie-domain)$(c-uri-extension)$(c-uri-host)$(c-uri-hostname)$(c-uri-path)$(c-ur-pathquery)$(client.address)$(client.certificate.subject)$(client.host)$(client.public_address)$(cs-auth-group)$(cs-categories-policy)$(date)$(user.name)$(user.x509.subject)" 16. Under "Category", select "All". 17. Under "Display options", select "Both". 18. Click "Apply and set". 19. Repeat the above procedure for each service/protocol being proxied with authorization enforcement. For example, ensure HTTPS is selected when doing HTTPS and not HTTP. 20. Click "Apply Policy". 1. Navigate to the top of the VPM and add a new layer. It must be a CPL layer. 2. Include the following in the layer text: <Proxy> url.regex="ssl://" authenticate(no) <Proxy>client.certificate.require(yes) service.name=!(CAC-MC-Notify,HTTPS-Console) authenticate(CAC) authenticate.force(no) authenticate.mode(auto) Note: The CAC-MC-Notify and HTTPS-Console must match a proxy or reverse service in use. The authenticate(CAC) must represent the Certificate Authentication Realm previously configured. 3. Click "Apply Policy".